2017.03.24 Yongsoo Song Contents Motivation The Learning with - PowerPoint PPT Presentation

2017.03.24 Yongsoo Song

Contents • Motivation • The Learning with errors (LWE) Problem • LWE-based Encryptions; Previous Works • Our Scheme • LWR • Result and Conclusion

Motivation

Mot otiv ivation Contemporary Cryptography 1 2 3 Public-Key Crypto Symmetric-Key Crypto Hash 4 5 Diffie-Hellman Elliptic Curve RSA AES Triple-DES SHA-2 SHA-3 Key Exchange Crypto Difficulty of Difficulty of Difficulty of Elliptic Curve DLP in Factoring DLP Finite Group Need Larger Keys Need Longer Outputs Can be solved efficiently < Quantum Computing Era >

Mot otiv ivation Post-Quantum Cryptography 1 2 • NSA is transitioning to post- quantum crypto in the “not too distant” 3 future; http://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm 4 5 • NIST launched Post-Quantum Crypto Project on Aug. 2, 2016; http://csrc.nist.gov/groups/ST/post-quantum-crypto  To standardize Post-Quantum public-key crypto : Encryption / Signature / Key Exchange  Timeline Fall 2016 Formal Call for Proposals Nov 2017 Deadline for Submissions

Mot otiv ivation Post-Quantum Crypto 1 2 3 • Lattice-based crypto gains 4 Lattice-Based Etc ; - NTRU Isogenies, … 5 increasing attentions; - Regev’s Enc - Frodo  Security based on the NP-hard worst-case lattice problems Hash-Based  Fast implementation Multivariate - Merkle Signature - Rainbow  Versatility in many applications: HE, IBE, … - Sphincs Signature • We focus on LWE-based Encryption Code-Based - McEliece

Learning with Errors (LWE) Problem

Solving a linear equation system 1 LW LWE Pro roblem 2 = • Q. x 1 7 1 3 7 3 (mod 10) Find ! x 1 4 5 7 x 2 9 4 x 2 5 x 3 2 6 6 9 x 3 9 2 7 3 ; Easy! 3 8 7 6 (We can solve it by using 8 Gaussian elimination) 5 4 2 2 1 0 5 7 4 5 3

Learning with Errors Problem (LWE) 1 1 LWE Pro LW roblem 2 3 + = • Q. x 1 0 7 1 3 7 Find (mod 10) ! x 1 4 x 2 2 1 4 5 7 x 2 5 9 6 6 9 x 3 1 x 3 1 0 2 7 3 ; Hard! 0 6 3 8 7 1 5 4 2 0 0 2 1 0 5 8 5 4 5 3 Small Error (unknown)

Decision-LWE Problem 1 1 LWE Pro LW roblem 2 3 • Q. from a uniform random 7 1 3 7 Distinguish 4 sample in ! 4 5 7 1 5 1 6 6 9 ; Hard! 0 2 7 3 , 3 8 7 6 0 5 4 2 2 1 0 5 4 5 3 5

LWE-based Encryptions

LWE + LHL [Reg05] 1 n 2 LW LWE-based Enc 3 s KeyGen b = s + e A , A pk: 4 m sk: 5 M q/2 r r Enc(M) , + A b • Require a large m to randomize LWE samples in Encryption  Leftover Hash Lemma  Can We Reduce m?

LWE + LWE [LP11] 1 n 2 2 LW LWE-based Enc 3 s s KeyGen b = s s + e e A , A pk: 4 m sk: (small) 5 M q/2 r r e’ + e’’ + + Enc(M) , A b • Pros: smaller m by replacing LHL with LWE • Cons: Discrete Gaussian samplings

LWE + LWR [CKLS16] 1 n 2 3 3 Our r Sc Scheme s s KeyGen b = s s + e e A , A pk: 4 m sk: (small) 5 M q/2 r r + d = Enc*(M) , A b 10110110 10110110 01101011 01101011 = d d c 11010100 11010100 𝑞 𝑟 ∙ (cf. = , if 𝑞 = → ⋮ ⋮ 01001001 01001001 2 7 , 𝑟 = 2 9 . )

LWE + LWR [CKLS16] 1 n 2 3 3 Our r Sc Scheme s s KeyGen b = s s + e e A , A pk: 4 m sk: 5 Setup Choose moduli q, p. Integers m, n. Sampled from a small distribution, s e.g. Binary (with small Hamming weight), Gaussian Uniformly sampled from 𝑎 𝑟 Sampled from Gaussian distribution e 𝑛×𝑜 A

LWE + LWR [CKLS16] 1 n 2 3 3 Our r Sc Scheme s s KeyGen b = s s + e e A , A pk: 4 m sk: 5 Sampled from a small distribution, r e.g. Binary (with small Hamming weight), Gaussian M q/2 r r + (a’ = b’= , 𝒆 𝒖 A b ) ⇒ 𝑐 ′ ≈ 𝑏 ′ , 𝑡 + 𝑁 𝑒 = 𝑏 ′ , 𝑐 ′ 𝑟 2 (mod 𝑟)

LWE + LWR [CKLS16] 1 n 2 3 3 Our r Sc Scheme s s KeyGen b = s s + e e A , A pk: 4 m sk: (small) 5 M q/2 r r + (a’ = b’= , 𝒆 𝒖 A b ) 10110110 10110110 01101011 01101011 = d d c 11010100 11010100 𝑞 𝑟 ∙ (cf. = , if 𝑞 = 2 7 , 𝑟 = 2 9 . ) → ⋮ ⋮ 01001001 01001001 𝑑 = 𝑏, 𝑐 ⇒ 𝑐 ≈ 〈𝑏 ′ , 𝑡〉 + 𝑁 𝑞 2 (mod 𝑞)

Learning with Rounding (LWR) Problem 1 2 • Surprisingly, it is secure under LWR assumption 3 LW LWR 4 4 4 • LWR: Distinguish any 𝑛 pairs of type 5 n 𝑞 , ( ) ∈ 𝑎 𝑟 𝑜 × 𝑎 𝑞 from uniform s 𝑏 𝑗 𝑐 𝑗 𝑏 𝑗 = 𝑟 Discard the least significant bits of <a i ,s> instead of adding small errors • Have reduction from LWE: q is large or m is small

The Hardness of LWR Problem 1 ( 𝑟: LWR modulus, 𝑞: rounding modulus, 𝑜 : LWR dimension.) 2 • Before 2016, security reduction only when the modulus is somewhat large. 3  Banergee, Peikert, Rosen [BPR12] introduced LWR, and showed LWR ≥ LWE LW LWR 4 4 4 when q is sufficiently large . ( 𝑟 ≥ 𝑞 ∙ 𝐶 ∙ 𝑜 𝜕 1 , B : LWE noise support bound) 5  Alwen et al. [AKPW13] showed LWR ≥ LWE when the modulus and modulus-to-error ratio are super-poly. • Bogdanov et al. [BGM+16] in TCC 2016 showed LWR ≥ LWE when the number of samples is no larger than 𝑃( 𝑟 𝐶𝑞) . ( B : LWE noise support bound) • Cryptanalytic hardness against best known lattice attacks: LWR = LWE when 12𝑟 2 𝑞 2 . (size of noise vectors are the same) the variance of LWE noise is

10110110 Caution! - How many LSBs can be discarded? 01101011 11010100 1 2 01001001 • (Correctness) If we cut a large proportion; , the correctness will not hold. p 3 3 LW LWR LWR LW 4 4 • (Security) We can not remove noise addition if we cut very small; 5 → Since the number of samples of LWR in the Enc procedure is restricted to be small , we can choose a proper rounding modulus “p” to satisfy both security and correctness. <Bogdanov et al.> If the # of samples(m) is no larger than 𝑃(𝑟/𝐶𝑞) , we cannot distinguish either one from uniform; + e s s ) ( A ( A ) A ↔ A m m 𝑞 , 𝑞 , 𝑟 ∙ ( ) 𝑟 ∙ n n

Advantage of LWR assumption 1 2 LWE-based Enc LW s s b = +e sk = (-s, 1) e A , A pk: 3 LW LWR 4 4 + + e 2 + r r e 1 , 5 LP11.Enc(M) A b 𝑊𝑏𝑠 𝑓 𝑗 = 𝜏 2 𝑁 𝑟 2 + r r Rounding error (𝑓 1 , 𝑓 2 ) : Lizard.Enc(M) 𝑞 , (uniform over [± 𝑟 2𝑞] ) b A 𝑟 ∙ 𝑁 𝑟 2 Variance 𝜏 2 = 𝑟 2 12𝑞 2 Encryption noise: 𝑠, 𝑓 + (𝑓 1 , 𝑓 2 ), 𝑡𝑙 Set the parameter 𝝉 𝟑 = 𝒓 𝟑 𝟐𝟑𝒒 𝟑 : Preserve cryptanalytic hardness LWE(m,q, σ ) = LWR(m,q,p) and functionality (encryption noise) • Smaller CTXT • No Gaussian sampling in Encryption

Performance of IND-CPA scheme 1 2 • Enc/Dec speeds; encrypting 256 bits with 128-bit post-quantum security 3 3 Scheme Enc Dec 4 RSA-3072 0.035 (116,894) 2.673 (8,776,864) 5 Result Re NTRU EES593EP1 0.024 (80,558) 0.025 (82,078) Our Scheme 0.024 (80,558) 0.020 (62,813) [Table] Performance of our Enc/Dec procedures in miliseconds (nb of cycles) Our scheme: measured on a PC with Intel dual-core i5 running at 2.6 GHz w/o parallelization.  RSA, NTRU: measured on a PC with Intel quad-core i5-6600 running at 3.3 GHz processor, drawn  from ECRYPT Benchmarking of Crypto Systems. RSA does not achieve post-quantum security. 

Security 1 2 • Asymptotic hardness; 3 3 - LWE with small secrets (e.g. Discrete Gaussian, Binary, Sparse binary) 4 5 5 Re Result - Thanks to reduction from LWE to LWR • Concrete hardness; - Follow the framework of Frodo / NewHope in parameter selection - Extension to LWR problem (OLA) - Current Combinatorial Attack on Sparse Secret LWE [Alb17] • Quantum Security; - IND-CCA in Quantum ROM using modified FO conversion [TU16]  Optimal?

1 Questions? 2 3 4 Any comments, 5 Implementation tips, applications, and even attacks would be appreciated! PQ Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon, Duhyeong Kim, Joohee Lee, and Yongsoo Song, ePrint 2016 / 1126

Thank You !